A Comprehensive Study of the GeoPass User Authentication Scheme

Abstract: Before deploying a new user authentication scheme, it is critical to subject the scheme to comprehensive study. Few works, however, have undertaken such a study. Recently, Thorpe et al. proposed GeoPass, the most promising of a class of user authentication schemes based on geographic locations in online maps. Their study showed very high memorability (97%) and satisfactory resilience against online guessing, which means that GeoPass has compelling features for real-world use. No comprehensive study, however, has been conducted for GeoPass or any other location-based password scheme. In this paper, we present a systematic approach for the detailed evaluation of a password system, which we implement to study GeoPass. We conducted three separate studies to evaluate the suitability of GeoPass for widespread use. First, we performed a field study over two months, in which users in a real-world setting remembered their location-passwords 96% of the time and showed improvement with more login sessions. Second, we conducted a study to test how users would fare with multiple location-passwords and found that users remembered their location-passwords in less than 70% of login sessions, with 40% of login failures due to interference effects. Third, we conducted a study to examine the resilience of GeoPass against shoulder surfing. Our participants played the role of attackers and had an overall success rate of 48%. Based on our results, we suggest suitable applications of GeoPass in its current state and identify aspects of GeoPass that must be improved before widespread deployment could be considered.